From: Dan Carpenter Date: Thu, 15 Jul 2010 08:23:10 +0000 (+0200) Subject: orinoco_usb: potential null dereference X-Git-Tag: MMI-PSA29.97-13-9~23092^2~107^2~25 X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=48d5548fc5e5ad79ca98a287b67f403834929739;p=GitHub%2FMotorolaMobilityLLC%2Fkernel-slsi.git orinoco_usb: potential null dereference Smatch complains that "upriv->read_urb" gets dereferenced before checking for NULL. It turns out that it's possible for "upriv->read_urb" to be NULL so I added checks around the dereferences. Also I remove an "if (upriv->bap_buf != NULL)" check because "kfree(NULL) is OK. Signed-off-by: Dan Carpenter Signed-off-by: John W. Linville --- diff --git a/drivers/net/wireless/orinoco/orinoco_usb.c b/drivers/net/wireless/orinoco/orinoco_usb.c index 020da76c9558..b7864001e7e1 100644 --- a/drivers/net/wireless/orinoco/orinoco_usb.c +++ b/drivers/net/wireless/orinoco/orinoco_usb.c @@ -1502,16 +1502,16 @@ static inline void ezusb_delete(struct ezusb_priv *upriv) ezusb_ctx_complete(list_entry(item, struct request_context, list)); - if (upriv->read_urb->status == -EINPROGRESS) + if (upriv->read_urb && upriv->read_urb->status == -EINPROGRESS) printk(KERN_ERR PFX "Some URB in progress\n"); mutex_unlock(&upriv->mtx); - kfree(upriv->read_urb->transfer_buffer); - if (upriv->bap_buf != NULL) - kfree(upriv->bap_buf); - if (upriv->read_urb != NULL) + if (upriv->read_urb) { + kfree(upriv->read_urb->transfer_buffer); usb_free_urb(upriv->read_urb); + } + kfree(upriv->bap_buf); if (upriv->dev) { struct orinoco_private *priv = ndev_priv(upriv->dev); orinoco_if_del(priv);